blob: 3b0bd9d33bce367af29dae878e3310c0b4977f4d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
{ config, pkgs, ... }:
{
config = {
services.etebase-server = {
enable = true;
port = null;
unixSocket = "/run/etebase-server/etebase-server.sock";
user = "etebase";
settings = {
allowed_hosts.allowed_host1 = "etesync.yggdrasil.li";
global.secret_file = config.sops.secrets."etebase-server-secret.txt".path;
database = {
engine = "django.db.backends.postgresql";
name = "etebase";
user = "etebase";
};
};
};
systemd.services.etebase-server = {
serviceConfig = {
RuntimeDirectory = "etebase-server";
};
};
sops.secrets."etebase-server-secret.txt" = {
format = "binary";
sopsFile = ./secret.txt;
owner = config.services.etebase-server.user;
group = config.services.etebase-server.user;
restartUnits = ["etebase-server.service"];
};
security.acme.rfc2136Domains = {
"etesync.yggdrasil.li" = {
restartUnits = ["nginx.service"];
};
"app.etesync.yggdrasil.li" = {
restartUnits = ["nginx.service"];
};
};
services.nginx = {
upstreams."etebase" = {
servers = {
"unix://${config.services.etebase-server.unixSocket}" = {};
};
};
virtualHosts = {
"etesync.yggdrasil.li" = {
kTLS = true;
http3 = true;
forceSSL = true;
sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem";
sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem";
sslTrustedCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.chain.pem";
extraConfig = ''
client_max_body_size 100M;
charset utf-8;
'';
locations = {
"/static/" = {
alias = "${config.services.etebase-server.settings.global.static_root}/";
};
"= /".return = "301 https://app.etesync.yggdrasil.li";
"/".extraConfig = ''
proxy_pass http://etebase;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
'';
};
};
"app.etesync.yggdrasil.li" = {
kTLS = true;
http3 = true;
forceSSL = true;
sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem";
sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem";
sslTrustedCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.chain.pem";
locations."/".alias = "${pkgs.etesync-web}/";
};
};
};
systemd.services.nginx = {
serviceConfig = {
ReadPaths = [
config.services.etebase-server.settings.global.static_root
pkgs.etesync-web
];
LoadCredential = [
"etesync.yggdrasil.li.key.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/key.pem"
"etesync.yggdrasil.li.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/fullchain.pem"
"etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/chain.pem"
"app.etesync.yggdrasil.li.key.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/key.pem"
"app.etesync.yggdrasil.li.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/fullchain.pem"
"app.etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/chain.pem"
];
};
};
users = {
users.${config.services.etebase-server.user} = {
isSystemUser = true;
group = config.services.etebase-server.user;
home = config.services.etebase-server.dataDir;
};
groups.${config.services.etebase-server.user} = {
members = [ "nginx" ];
};
};
};
}
|
